Hancock College's SSO system requires many employees to use a Multi-Factor Authentication. Protecting an account with Multi-Factor Authentication is optional for student and other employee accounts. Users who are required to use Multi-Factor Authentication include:
- Users with access to Banner Admin pages
- Users with access to Banner Finance purchase orders
- By Winter Term 2021 all Hancock College Employees will need to use Multi-Factor Authentication
How Multi-Factor Authentication Works
Multi-factor authentication is a security concept that requires a user to produce two pieces of information. The first, is something the user knows – like a password. The second, is something that the user has – such as access to a specific email account or a specific cell phone number. By requiring a user to produce two pieces of information an SSO system has greater confidence that the user is who they claim to be.
Multi-factor authentication is now required at Hancock College for access to certain sensitive applications such as Banner Admin pages. Users who use those applications will have an additional step to logging in for those applications. However, when those users log in to services not requiring multi-factor authentication, they will only be required to enter a valid username and password.
Multi-factor authentication can optionally be turned on by users but is not required. If this option is turned on by a user, all logins will require the additional multi-factor step.
How to Opt-In to Multi-Factor Authentication
Opting in to Multi-Factor Authentication is done on the Account Management page which can be found at https://hancockcollege.onbio-key.com/. Clicking the "Enable/Disable Multi-Factor" heading will expand the setting and show the current status. (Users who are required to use Multi-Factor Authentication will not have this as an option.) To enable Multi-Factor Authentication click the "Enable Multi-Factor for my account" link and click "OK" on the resulting dialog message.
Mutli-Factor Authentication Methods
There are several multi-factor options available at Hancock College. They include:
- Personal Email Address – an email address that does not include hancockcollege.edu
- SMS/Text Message – a cellular phone number capable of receiving SMS text messages
- PortalGuard Phone App – an Android and iPhone application which can be opened at the time of logging in to generates a one-time password.
- Security Key – a device which plugs into your computer’s USB port and is meant to be taken out of the computer when the user is away. (https://www.yubico.com/store/#security-key-series)
- Printed Passcodes - A list of 10 pre-assigned OTP that can be printed out. For employee use only.
- Help Desk – the Help Desk will be able to provide users a one-time password which they can use. This should only be used as a fallback method when a user has not setup any other multi-factor methods or no longer has access to the methods above.
A logged in user can view the current Multi-Factor Authentication destinations at the Account Management page. Each of the available Multi-Factor Authentication methods will have its own section, which can be expanded by clicking on the heading. Some of these methods can be configured in the the Account Management page, while others need to be entered in Self Service Banner.
Updating Multi-Factor Authentication
Personal Email Address - a personal email address can be updated by using the Personal Information form on Banner Self Service.
To update the "Personal and Password Reset Email" address, click the pencil icon below the email address and enter a new address.
Only one personal and password reset email address can be used.
SMS/Text Message - an SMS capable cell phone number can be added via the Personal Information form on Banner Self Service. To set the default phone number used to deliver One Time Passcodes the "Text Message" phone type must be used. To edit an existing Text Message number click the pencil icon below the phone number and enter a new number. To add a new phone number, click the "(+) Add New" link, select a "Text Message" type and enter the new number.
Additional, backup phone numbers can be added on the Account Management page by expanding the "Registered Phones" section and following the prompts to enter a phone number. Phone numbers entered through this method can not be used as the default OTP delivery method, but they can be used to deliver an OTP by clicking on the "Problems with OTP?" link on the OTP entry form.
Mobile Authenticator - a smart phone application can be installed to provide you with an OTP.. To add the app:
- Expand the "Mobile Authenticator" section on the Account Management page.
- Click the link to open the app store for your phone operating system.
- Once the app is installed click on the "Enable mobile authenticator" link on the Account Management Page and select the correct phone type and press "continue".
- A QR code will appear on the screen:
- Open the authenticator app on the phone and tap the "Enroll" button. (The phone might prompt for permission to use the camera, which needs to be allowed.)
- Scan the QR code with the phone's camera in the Mobile Authenticator app
- Take the 6 digit number from the phone app and enter that in the "One Time Passcode" field in the Account Management page in the web browser
- Click and tap "Continue" on the Account Management page as well as the phone app.
- On the Android PortalGuard App, users will need to click the "Generate My OTP" button near the bottom of the screen to view their OTP:
Printed Passcodes - Employees can also utilize printed passcodes, which are a list of pre-assigned OTPs which may be printed out ahead of time. To use this feature, users must go to the PortalGuard Account Management (hancockcollege.onbio-key.com) and click on the Printed One Time Passcodes section and then the "Print new OTPs" link. This will output a list of codes which can be printed. Each passcode can only be used once and should be crossed out by the user when used. Once all 10 codes have been used the user will need to return to this area to print new codes. The user can invalidate any already generated codes by either printing a new list of codes or clicking on the "Clear printed OTP's" link.
One Time Passcodes
Logging in with a One Time Passcode
When a user has Multi-Factor Authentication enabled, one additional step is added to the log in process. Following a correct username and password entry the user will see form requesting the user enter a One Time Passcode (OTP):
This passcode is a multi digit number which verifies the user from one of the Mutli-Factor Authentication delivery methods. When the form opens an OTP is sent to the user's default Mutl-Factor Authentication delivery method. If the default method is not available the user can click the "Problems with OTP?" link which will give the user options to enter in any additional Multi-Factor Authentication delivery methods.The email address and phone numbers will be partially masked for security. Clicking on the "Send OTP as ...." link will trigger an SMS or Email to be sent or a prompt will be brought up to use the Mobile Authenticator App or enter a Help Desk provided OTP.
Remembering the Browser
Because the process of entering an OTP at logon can be cumbersome, the "Remember this device?" checkbox will remember the users session for one week. The user will still need to log in through SSO after signing out or every 4 hours, but the One Time Passcode form will not need to be entered again. Once checked, an input titiled Browser Descrpition will popup with the name of your web browser and the date, The defaut text can remain.
The "Remember this device?" checkbox is per browser session. The user will need to perform this on every browser and computer. Checking this box in an incognito mode browser window not save the session. Any sort of clearing of cookies might impact the browsers ability to save this setting.
Changing Default One Time Passcode Delivery Method
The user can control which delivery method is used to send the OTP after entering the user's password. This can be configured in the Account Management page by expanding the Mutli-Factor Delivery Methods section.
In this section a user can determine which Multi-Factor Authentication method is to be used for each type of action that requires an OTP. To update the Muti-Factor method for normal logins the user will click the "Change" button at the end of the "Website Login" row. Below, all available methods will be shown and the user can select a new method and click continue. Users can set the OTP methods used for account unlocks and password changes.
Common Problems with One Time Passcodes
OTP Delivery Error
If a user has Mult-Factor Authentication turned on and the user does not have a personal password reset email address set, the user will see an error message like the one below:
A personal email address must be added to Allan Hancock's Banner system to give the user the default Multi-Factor Authentication method of an email address. To resolve this issue:
- Employees should contact the Help Desk at ext. 3345 or helpdesk@hancockcollege.edu
- Students must visit or call Admissions and Records. The student should ask the Admissions and Records staff to update their "Personal Email Address". The student will need to prove their identity to Admissions and Records staff.
OTP Delivery Method Unavailable
When an OTP is required for a user to login or change a password, the user might find that the default method the OTP is being sent is no longer accessible or is incorrect. It is possible the user has another OTP delivery method set up, such as an SMS phone. Click the "Problems with the OTP?" link. This will bring up a list of all the available OTP delivery methods available to the user. If one of these methods such as a phone number is accesible by the user the user can click the "Send OTP as SMS" link to send a new OTP to the number listed.
If none of the methods on the "Problems with the OTP?" link page are accessible the user will need to contact staff at Hancock College.
- Employees should contact the Help Desk at ext. 3345 or helpdesk@hancockcollege.edu
- Students must visit or call Admissions and Records. The student should ask the Admissions and Records staff to update their "Personal Email Address". The student will need to prove their identity to Admissions and Records staff.
Browser Does Not "Remember Me"
Using the "Remember Me" checkbox is a feature that enables users to only have to enter an OTP every time they log in. This feature does depend on browser functionalilty known as cookes. Sometimes the setting of cookies is disabled by the user's browser. Visiting a site using a browser's Incognito or Private browser mode will not persist a user's preference to be remembered by SSO. Also settings in Chrome and Firefox can enable all cookies to be reset after closing the browser window. This will remove the broweser's ablility to keep a user loggged in to Hancock College's SSO. A Chrome user can check these browser settings by:
- Go to chrome://settings/
- Scroll to the “Privacy and Security” section and click the “Cookies and other site data” section
- Make sure the “Clear cookies and site data when you quit Chrome” option is unchecked:
For Firefox users:
- Go to about:preferences
- Click on “Privacy & Security”
- Scroll down to the “Cookies and Site Data” section and confirm that “Delete cookies and site data when Firefox is closed” is unchecked.